eduGAIN Steering Group Meeting

Tuesday 13th November 2018, 13:30 - 15:00 CET (in your timezone)

Please Note that the above time is CONFIRMED.

12:15 UTC
13:15 CET

Arrival & "Can you hear me now?" (see Connection Details)

12:30 UTC
13:30 CET

Welcome, Introductions & Agenda Agreement

12:45 UTC
13:45 CET

Membership Updates and Joining

13:05 UTC
14:05 CET

eduGAIN "the brand" (based on Haka email to eduGAIN-SG Mailing List)

  • Metadata "opt-out" vs "opt-in".
  • Metadata flow.
  • Discovery + login

13:25 UTC
14:25 CET

SIRTFI

  • SIRTFI+ Registry, Scott Koranda (Scott is unavoidably detained and can't join the meeting).
  • Federation level security contacts (Nick R)

13:45 UTC
14:45 CET

Future SG Meetings

  • Last meeting of the year - GN4-3 updates will arrive in January 2019.
13:50 UTC
14:50 CET

Any other business, Summary and Actions

  • Is it necessary that the scans of the signed eduGAIN Declarations (with the signatures of NREN directors etc.) are available online?
  • OIDC

14:00 UTC
15:00 CET

Meeting Close (or we are running over time).

Connection Details

Attendance

Federations in Attendance (29)

  1. Belnet
  2. IDEM
  3. SIFULAN
  4. TAAT
  5. RCTSaai
  6. SAFIRE
  7. DFN-AAI
  8. InCommon
  9. AAI@EduHr
  10. eduID.cz
  11. UKf
  12. PIONIER.Id
  13. SWITCHaai
  14. RIF
  15. GRNET
  16. FER
  17. eduID.hu
  18. Grid Identity Pool
  19. CAF
  20. GARR
  21. ARNaai
  22. CIF
  23. AAIEduMk
  24. SWAMID
  25. IRFed
  26. Haka
  27. HKAF
  28. LEAF
  29. IIF

Attendees (35)

  1. Brook Schofield, GÉANT
  2. Pascal Panneels, Belnet
  3. Davide Vaghetti, GARR/IDEM
  4. Muhammad Farhan Sjaugi, SIFULAN
  5. Sten Aus, TAAT
  6. Esmeralda Pires, RCTSaai
  7. Péter Molnár, eduID.hu
  8. Donald Coetzee, SAFIRE
  9. Guy Halse, SAFIRE
  10. Nick Roy, InCommon
  11. Wolfgang Pempe, DFN-AAI
  12. Miroslav Milinovic, AAI@EduHr
  13. Jiří Bořík, eduID.cz
  14. Rhys Smith, UK federation
  15. Maja Gorecka-Wolniewicz, PIONIER.Id
  16. Lukas Hämmerle, SWITCHaai
  17. Alex Mwotil, RIF
  18. Zenon Mousmoulas, GRNET
  19. Halil Adem, GRNET
  20. Anass Chabli, FER
  21. Anastas Mishev, AAIEduMk
  22. Andria Dionysiou, CIF
  23. Aouaouche El-Maouhab, ARNaai
  24. Chris Phillips, CAF
  25. Julie Menzies, CAF
  26. Davide Vaghetti, GARR
  27. Marco Fargetta, Grid Identity Pool
  28. Pål Axelsson, SWAMID
  29. Saeed Khademi, IRFed
  30. Timo Mustonen, HAKA
  31. Toby Chan, HKAF
  32. Tomasz Wolniewicz, PIONIER.Id
  33. Valentin Pocotilenco, LEAF
  34. Zivan Yoash, IIF
  35. *Marina Adomeit, SA2 Activity Leader

Apologies (6)

  1. Peter, ACOnet (mandatory internal meeting)
  2. Alejandro Lara, REUNA (Internal meeting)
  3. Nicole Harris, GÉANT
  4. Scott Koranda
  5. Raja Visvanathan, INFLIBNET
  6. Nicholas Mbonimpa, RIF
  7. Simon Green, SGAF

Draft Notes

Welcome, Introductions & Agenda Agreement

The Chair welcomed everyone to the 7th meeting of 2018.

For details on new members and candidates see https://technical.edugain.org/status and work on progressing new members is underway.

Outstanding Issues with Federations

The three (3) outstanding actions will remain outstanding. They have due dates in 2019 and are being actively worked on.

Membership Updates and Joining

The eduGAIN Compliance Issues are being worked through and we are making progress on support for the SAML2 profile being mandated.

Nick stated that InCommon have a new engineer and a major impediment to their support is not being able to modify members metadata without positive action by participants and there is work ongoing to address this.

Chris reported that CAF is looking at their lack of an MRPS.

Guy's questioned why the existing validator exists and why can't the new validator be visible to send the correct message to federation. About the "why" Tomasz answered that there are legacy rules for existing participants but this will be rolled forward once everyone is ilne. This approach was backed by Nick and Rhys. Guy clarified that there are warnings that are not issues in the new validator and the OT will investigate and remove inconsistencies between the two.

Farhan asked about what they should do regarding the SIFULAN signing key. While no immediate action is requried advice was given by the community with Chris clarifying that any change is only for upstream metadata.

Guy asked about ECC certificates. Stefan has tried that. Maja to clarify if the MDS+Validator can do this. Rhys questioned by ECC rather than 4k keys? Guy has a scenario with his HSMs that doesn't support >2k RSA keys but does support ECC - smaller new federations might want to use USB based HSMs (Nitrokey, Cryptosick, et al) to gain experience before investing in more costly ones, and many of these still only support 2K keys but do aslo support ECC, so a 3K restriction rules out these HSMs. ECC is a path forward. Rhys said that this should be started and there can be a phased approach to move toward endpoint testing/support for ECC certificates.


eduGAIN "the brand" (based on Haka email to eduGAIN-SG Mailing List)

Based on the email by the Haka federation to the eduGAIN-SG Mailing List on 5th October there was a discussion about eduGAIN "the brand".

Nick stated that HAKA requires signed authentication requests from SPs and this could cause some interoperability problems and isn't included in the next version of SAML2Int.

Timo clarified that this message was a request from the HAKA Steering Group and wasn't universally supported by the HAKA team. They are wanting services to adopt eduGAIN.

Nick stated that the REFEDS Service Catalogue paper released by Heather could be used to highlight services.

Chris Phililps stated that use of eduGAIN witihn CAF is significant but they want it to be increased and improve the knowledge of reachability of services for key researchers (not just overall volume of users).

Miro stated "Catalogue for End Users". Chris suggested "Service Directory". Nick Roy said a quick win could be the adding of search over MDUI Display Name within MET. Tomasz said that the eduGAIN entities database has this feature but lacks URLs. Nick also suggested that having a button/form to request services being exported to eduGAIN could also be made available. Chris Phillips stated that some members of CAF have had the issue that there are services that aren't accessible (because they aren't in eduGAIN). Nick mentioned the ability to decorate entries within MET. Once we have a repository of this data we could drive discovery services via those feeds.

The REFEDS 2019 work plan is currently being prepared. Common requests for "what's in eduGAIN" from federation will be taken on board in the next iteration of the GÉANT project (GN4-3 to start in 2019).

SIRTFI

Scott Koranda is unable to join todays meeting. There are regular SIRTFI conference calls co-ordinated by Tom Barton. At the last call (last Thursday) there was a request to send this information to the eduGAIN SG for their comment on whether the output of the SIRTFI+ registry is likely to be injested into eduGAIN (or how would federations make this available). The TechEx SIRTFI presentation slides are also available to inform the SG of the progress of SIRTFI and SIRTFI+ registry work.

Rhys stated that SIRTFI+ creates an attack point that undermines the integrity of the federation trust model. The act of "merging" metadata isn't possible in any software. The order of import is importand  - it is unknown in various federation tools but the handling of this isn't consistent between tools.

Nick Roy stated that if the SIRTFI decoration is imported into eduGAIN then the entity isn't decorated in their home federation.

Chris said there are a lot of unknowns in the area of this registry. "Sympathetic" tagging of R&S in CAF if they see it tagged in another federation.

Chris asked about SIRTFI for OIDC? No, or at least not yet. Davide is aware and it will likely be future work.

Rhys is going to deep dive into the SIRTFI mailing lists to understand their goals/posture. Davide stated that interferring with the integrity of a federation is a real problem.

Nick said for the both of the SIRTFI simulations there was a need to get in touch with the federation security contact. Adding a security contact to technical.edugain.org is important.

Questions were asked on whether this should be a URL or an email address (mailto:) or (tel:). Pål asked whether we do SIRTFI for the federation?

RENISAC is the group that co-ordinates R&E security coordination for the InCommon community with almost universal coverage.

Goals for security contact information is to:

  1. collect the security contact information (up to 3 values - URL, phone, email)
  2. look at the overlap between Trusted-Introducer listed CSIRTs and eduGAIN member federations.

Autopopulation of the security contact with contact email address isn't acceptable as the security contact should at least understand TLP for sharing information.

Future meetings

There is no further meetings in 2018.

  • No labels